Monthly Archives: June 2007

A few of us have been pulling together a community-oriented developer event here in the UK – DDD5. One of DDD5’s key goals is to nuture community talent and provide a platform for new speakers. First time speakers, and I say this with the greatest respect, often need some tuition in order to deliver a good session.

If you are a new speaker, I believe that you’ll find Guy’sHow to give great presentations an invaluable document! It’s full of top tips covering topic selection, preparation, expected slides, explaining things, demonstrations, use of PowerPoint, cheat or crib sheets, delivery, nervousness, humour, gadgets/pointing tools, drawing and zoom tools, mobile phones (what you can do to stop it from happening!) and how to close your presentation (bring it to an end).

I’m pleased to see Guy recommending ZoomIt – it’s a great tool that I use most of the time. It’s well worth taking a look at it if you are delivering a lot of presentations. Incidentally, ZoomIt is written and maintained by Mark Russinovich of SysInternals fame.

What:
In this presentation Martin Bell, will be looking at the different ways to create XML query plans such as T-SQL statements, SQL Profiler and DMVs. He will look at using XML schemas and the schema used for XML Query Plans. Methods of loading XML Query Plans into a database including SSIS, CLR and T-SQL statements will be demonstrated. XML Query Plans with be analysed using XQueries to show how you can monitor and detect performance issues.

Martin Bell has been a freelance computer consultant in the UK for over 23 years. He has worked on many relational database systems and since the 1998 has specialized in SQL Server. He was first awarded Microsoft MVP (SQL Server) status in June 2003.

This event is run by Scottish Developers in conjunction with the Scottish SQL Server User Group.

Room 15 is on Level 2 of the Continuing Professional Development Centre. The CPDC is on the left side (just past the bookshop) as you enter the university from the pedestrian entrance on Cowcaddens Road.

Overview
This is an cutting-edge and exciting 2 Day course in which you will push your knowledge of the ASP.NET security framework to the limit. You will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .Net Framework. You will also learn advanced defence techniques such as building an ASP .NET Security Protection Layer how to create Authorization and Data Validation Solutions.

Instructor
Dinis Cruz is a renowned application security expert who is passionate about training developers to move beyond the ‘comfort zone’ of standard ASP.NET development and into the world of advanced security aware development with the aim of making the Web Applications as secure as possible against malware and malicious hackers. Dinis is also the project leader for the OWASP .Net Project and the and the main developer of several of OWASP .Net tools (SAM’SHE, ANBS, SiteGenerator, PenTest Reporter, ASP.Net Reflector, Online IIS Metabase Explorer). author of many Open Source security tools (see http://www.owasp.org/index.php/.Net).

Agenda
The Course is made of 4 modules (2 per day, one in the morning and one in the afternoon)

Module 1: Security Principles and .NET Framework Architecture.
In this module you will lean the principles and architecture of the .NET Framework relating to Security.

Module 2: Threat Modelling and Exploiting ASP.NET Applications.
In this module, you will use quick-and-dirty threat models to discover vulnerabilities in the target application and how to exploit vulnerabilities in ASP.NET Applications, including exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications.

Module 3: Exploiting Full Trust and Partial Trust Asp.Net Environments.
Day 2 will start with a practical demonstration of the power of Full Trust ASP.NET Applications, how attackers could patch the .Net Framework and CLR and launching internal attacks to compromise servers and the data centres. You will also look how to exploiting insecure Partial Trust ASP.NET Environments.

Module 4: Advanced ASP.NET Countermeasures
Now you know what the threats are and what could be done to jeopardise your ASP.NET applications, you will now learn how to defend against these attacks. You will learn how to create secure Data Validation and Authorization architectures, how to create secure ASP.NET hosting environments and how to build an ASP.NET Security Protection.

At the end of this course you will walk away with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

Equipment Requirements
A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

Knowledge Prerequisites
This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework. To get the most of this course the participants should have commercial experience on either application development or security auditing.

Miscellaneous
The course is a 2 day residential course and costs £900 for individuals with discounts available for multiple bookings (this INCLUDES all food for the 2 days and accommodation for one night) . For more details and to register for the course go to http://www.nxtgenug.net/Courses.aspx?courseid=4

The boys over at NxtGenUG have been busy cleaning out their recording equipment – so much so, they’ve very kindly put together a short video teaser or trailer for DeveloperDeveloperDeveloper!

If you’ve never attended a DDD event, hopefully this will give you a flavour of what it’s all about: it demonstrates why the event is so popular that it can “sell out” (even though it’s free!) within 5 days of registration opening!

Well, after six months of experimentation, and three Vista installs, I’ve decided to leave Windows XP behind (safely on a different bootable hard drive) and run with Windows Vista for my day-to-day work. I’m not short of people telling me that I’ll be reverting back to Windows XP within a short period of time. Nor am I short of “setup” and drive image tools. To boost the setup, I have 4GB of RAM and a 4GB USB drive taking the ReadyBoost strain. Acronis TrueImage 10 provides the partition imaging that I’m told I’ll need once I start to install things. For virus protection, I’m using NOD32. I’m hoping that I won’t need to roll back to an earlier point in time, and I do hope that a roll back to Windows XP isn’t required. Watch this space.

One problem that I did encounter was an error from Outlook 2007 during the send process. The error number was: 0x800CCC80 – “None of the authentication methods supported by this client are supported by your server.” Naturally I checked the mail hosts and passwords, they all seemed to be fine. Now, because I chose to use my ISP’s outgoing mail service, in Outlook 2003 I would normally authenticate with their servers, via the Outgoing Servers tab. However, in Outlook 2007, it seems that this requirement is removed, certainly for me at least. I’ve since discovered that this was reported during the Outlook 2007 beta programme: unchecking “My outgoing server (SMTP) requires authentication” worked for some folks, but not all.